You are here

Addthis

PROBLEM:

Apache Tomcat could allow a remote attacker to bypass security restrictions, caused by an error related to ignoring @ServletSecurity annotations. An attacker could exploit this vulnerability to bypass security restrictions and launch further attacks on the system.

PLATFORM:

Apache Tomcat versions 7.0.0 through 7.0.10.

ABSTRACT:

Apache Tomcat May Ignore @ServletSecurity Annotation Protections. A remote user may be able to bypass @ServletSecurity annotation protections.

reference LINKS:

IMPACT ASSESSMENT:

Moderate

Discussion:

The vulnerability is caused due to the application not properly enforcing "@ServletSecurity" annotations when loading servlets. This can be exploited to e.g. bypass the security constraints specified via the annotations and disclose certain information.

Impact:

The system ignores @ServletSecurity annotations when starting a web application. As a result, some areas of the application not receive the expected protection. A remote user may be able to bypass @ServletSecurity annotation protections.